From: Redouane Kachach <rkachach@ibm.com>
Date: Fri, 28 Nov 2025 08:38:45 +0000 (+0100)
Subject: mgr/cephadm: Fix mgmt-gateway default port in get_port_start()
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0b8a27aa978d71b28c065d2ae30a1ad6b45cf825;p=ceph.git

mgr/cephadm: Fix mgmt-gateway default port in get_port_start()

The mgmt-gateway port was already defaulted to 443 in most places, but
get_port_start() did not apply this default. Since the output of
get_port_start() is used both to configure the daemon ports which are
later used to to open them in firewalld, this inconsistency meant the
HTTPS port was not opened when firewalld service was active.

This change makes get_port_start() also default to port 443, ensuring
the daemon is configured correctly and the corresponding firewalld port
is opened as expected.

Fixes: https://tracker.ceph.com/issues/74015

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
index 5747cd7a169..e8b3aff093f 100644
--- a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
+++ b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
@@ -792,3 +792,29 @@ class TestMgmtGateway:
                     error_ok=True,
                     use_current_daemon_image=False,
                 )
+
+    @patch("cephadm.serve.CephadmServe._run_cephadm")
+    def test_mgmt_gateway_default_port_is_443_when_unspecified(
+        self,
+        _run_cephadm,
+        cephadm_module: CephadmOrchestrator,
+    ):
+        """
+        When no --port is provided and the spec has no port field,
+        the mgmt-gateway daemon spec must use port 443 so that
+        firewalld can open the correct port.
+        """
+
+        _run_cephadm.side_effect = async_side_effect(('{}', '', 0))
+
+        # NOTE: no port passed here, let's test the defaults
+        spec = MgmtGatewaySpec()
+        with with_host(cephadm_module, 'ceph-node'):
+            with with_service(cephadm_module, spec):
+                HTTPS_PORT = 443
+                # Inspect the daemon spec passed to cephadm
+                deployed = json.loads(_run_cephadm.call_args.kwargs['stdin'])
+                # The default port must be 443 (from get_port_start)
+                assert 'tcp_ports' in deployed['params']
+                assert deployed['params']['tcp_ports'] == [HTTPS_PORT]
+                assert deployed['meta']['ports'] == [HTTPS_PORT]
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 527a4107631..89f768ab23b 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -2438,6 +2438,8 @@ class MgmtGatewaySpec(ServiceSpec):
         ports = []
         if self.port is not None:
             ports.append(cast(int, self.port))
+        else:
+            ports.append(443)  # default HTTPS port
         return ports
 
     def validate(self) -> None: